Re: Kinda OT: Dealing with cracker attempts...
> > ..heres a hint, have you ever stuck a microphone in front of a p.a. speaker
> > and turned the gain up really high??
>
> Getting into that kind of loop is what the following part of the
> script avoids:
>
> ABUSER=`/bin/grep -x $2 $LOGFILE`
> if [ "$ABUSER" == "" ]; then
> echo $2 >> $LOGFILE;
>
> It will only do it once per host.
Yes, that can prevent the simple 'feedback loop' case, but you have still
made it much easier to launch a malicious DOS attack against your own box
or even to disguise a real penetration attempt.
> When it comes to spoofed packets,
> isn't that what good firewall rules are for-- catching those naughty
> kinds of packets?
But can you be sure everyone you encouraged to run such a script
will also have good firewall rules even if you do..
Consider this.. for whatever reason I decide today I'll cause you some
grief (maybe you unknowingly portscanned me with your script ;-). I know
you've carefully configured your firewall to drop spoofed packets, but I
also know 50 other hosts running these 'defensive' scripts that don't.
So instead of launching a frontal assault on your box I tickle a 'guarded'
port on each of these boxes and tell them that it came from you. I could
ping hundreds of hosts like this in a few short seconds, but your box is
going to be very busy for quite some time -- and you are going to have to
sift through a mighty full log to single out anything else I may care to
try on your machine while it is busy trading portscans with the rest of
the world, assuming of course your logger doesn't just croak or fill all
the hd space you gave it or even drop many of the things it should have
been logging.
> This little script is just an instrument for gathering a little
> possibly useful information and is meant to fit in with other security
> measures; it's shouldn't just stand alone.
Don't get me wrong, I'm not suggesting that you don't log requests to
ports that you may consider 'sensitive' but automated 'counter attacks'
are about as 'safe' as homemade grenades. You could easily get almost as
much *useful* information without them. (eg. why automate traceroute?
in network terms its relatively expensive, and what do you gain by doing
it automatically every time? If you have the IP number, the route will
still be the same (more or less) if you choose to check it manually in
the morning. Is there any real benefit (except as novelty value) to having
a portscan of an intruder if they are no longer online by the time you
read it?)
Log 'intruders' IP by all means.. even finger them or refuse connection
without an ident lookup.. but if you want to scan them back then I'd
strongly suggest that's something that should be done manually by a
discriminating human.. if your attack bot starts pounding on my host
(even as a result of someone elses actions) then abuse@your.isp may not
agree with you that its an acceptable thing to do.
..anyway my cron run just finished so I guess that's a sign I should
shut up and go to bed ;)
best,
Ron.
Reply to: